Hundreds of thousands of Microsoft Exchange Servers around the world could have been breached by attackers using exploits in the tech giant’s email software.
Last week, Microsoft rolled out patches for four critical zero-day vulnerabilities affecting its enterprise Exchange Server products which Microsoft said were being actively exploited by a Chinese threat actor called Hafnium.
The vulnerabilities let attackers leverage existing access to servers to run remote-controlled commands and pilfer data from unsuspecting organisations.
Along with fixes to its 2013, 2016, and 2019 versions of Microsoft Exchange Server, the company also released a patch for the unsupported Exchange Server 2010 software – suggesting the remote code vulnerabilities had gone unnoticed for over a decade.
Sources close to an investigation into the widespread breach told Wired and KrebsOnSecurity the number of hacked servers exceeded 30,000 in the US alone and could extend to hundreds of thousands of machine globally.
"It's massive. Absolutely massive," one source told Wired. "We're talking thousands of servers compromised per hour, globally."
Speaking at a press briefing last Friday, White House press secretary Jen Psaki said the incident was a “significant vulnerability” with “far-reaching impacts”.
“This is an active threat and everyone running these servers – government, private sector academia – needs to act now to patch them,” she said.
“We are concerned that there are a large number of victims and we are working with our partners to understand the scope of this.”
Don’t just patch and move on
Cybersecurity experts are warning network administrators to take action beyond merely applying Microsoft’s patches in order to combat potential malicious activity on their systems.
The Australian Cyber Security Centre (ACSC) published a high alert notice about the vulnerability, encouraging admins to “undertake the detection steps” outlined by Microsoft which includes a script for scanning Exchange log files to find indicators of compromise.
The ACSC also recommends organisations apply steps to mitigate and detect malicious web shell activity.
Former director of the US Cybersecurity and Infrastructure Security Agency (CISA), Chris Krebs, said network admins should brace for the worst.
“Assume you’re owned [and] look for activity,” he tweeted.
“If you aren’t capable of hunting or can’t find a team to help, disconnect and rebuild, [then] move to the cloud.
“This is a crazy huge hack.”
CEO of Sydney-based cyber firm Avertro, Ian Yip, said it is vital for IT teams to adequately communicate the importance of applying fixes to senior leadership.
“What's usually difficult to ascertain for most organisations, is how ‘immediate’ everything needs to be,” he said.
“Taken in a macro-context, leadership needs to factor in the implications to the business. Will business continuity be impacted? What are the risks of patching immediately versus tomorrow or over the weekend? Is the cyber risk higher than the commercial risk?”